If you spend any time at a technology conference, there is going to be some speaker who tells you how everything you are using is a major security risk. DropBox is insecure, your iPhone is insecure, and your Wi-Fi network is insecure. By the end of the presentation, you might to be ready to throw out your computer and buy a telegraph machine, yet when you get back to your office; you do not change any of your behavior. The fear the speaker tried to instill in you does not override your desire to be productive.
The purpose of this paper is not to temporarily scare you and then have you operate as business as usual. We will break down the threats and give you common sense solutions that will not make you less productive.
Bring-your-own-device (BYOD) uptake accounts for about 40 percent of U.S. enterprise employees, according to the latest statistics by Gartner.*
http://www.zdnet.com/article/bring-your-own-device-gains-traction-in-the-u-s-even-if-enterprises-arent-ready-yet/
Document retention policy: Include information on whether or not email will be archived and for how long. If your organization is required to archive email messages, state that all emails will be archived and include the number of years that the records will be kept. If you are not required to archive your emails, notify your users about whether they can or should delete emails after a number of months or years.
Treatment of confidential data: Include rules and guidelines on how employees should deal with your company’s confidential information and trade secrets. They should also be aware that they should not forward any confidential messages or attachments from other companies without permission. Make employees encrypt any confidential information that is sent via email and change passwords regularly.
Email disclaimer: If you are adding a disclaimer to employees” emails, you should inform them of this and state the disclaimer text that is added.
Email monitoring: If you are going to monitor your employees” emails, you must state this in your email policy. Warn that employees should have no expectation of privacy in anything they create, store, send or receive on the company’s computer system and that the company may, but is not obliged to monitor messages without prior notice. If you do not mention that the company is not obliged to monitor messages, an employee could potentially sue the company for failing to block a particular message.
http://www.policypatrol.com/10-points-to-include-in-your-email-policy/
You can turn Message Archiving on or off at any time, as follows:
Access the Administration Console:
Sign in to the Google Admin console.
On the dashboard, click Postini services.
Click System Administration.
Go to Orgs and Users > Orgs, and then select the users organization for which you want to turn on archiving. For example:
On the Organization Management page, scroll down to Organization Settings, then click Archiving:
Under Message Archiving Settings, select or clear the Archive messages for this organization check box.
If you are turning on archiving:
Google Apps Message Discovery: Ensure that All inbound & outbound messages is selected. Don'tselect All journaled messages, because that option does not apply to your service.
Google Message Discovery: Select either All inbound & outbound messages or All journaled messages. If you select both options, Message Archiving stores two copies of all inbound and outbound messages.
TrueCrypt for Laptop Hard drives
Box Cryptor for your Tablets/Smartphones
Windows has Bitlocker
Mac has FileVault
This is a solution for the public cloud. To get around all these three problems, if you encrypt your own data on your computers, you render these questions moot. The above image is my DropBox Account. If you were to log into DropBox’s website, you cannot read any data because it’s encrypted. The only way you can read the data is to be on a Computer\Tablet\Phone with the encryption software installed.
Viivo: http://www.viivo.com
BoxCryptor: https://www.boxcryptor.com/
Sookasa : https://www.sookasa.com/
WiFi Checklist
Have a Wireless Router that has a guest network
Make sure the Guest Network cant see your internal network
Have a password for the Guest Network and the Regular Network
This helps protect your client data and your self.
CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows,[1] believed to have first been posted to the Internet on 5 September 2013.[2] CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
CryptoLocker was isolated in late-May 2014 via Operation Tovar—which took down the Gameover ZeuS botnet that had been used to distribute the malware. During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan. Other instances of encryption-based ransomware that have followed have used the "CryptoLocker" name (or variations), but are otherwise unrelated.
http://en.wikipedia.org/wiki/CryptoLocker
Microsoft Security Essentials / Windows Defender is Free and does the job well for Windows Computers: http://goo.gl/DBz2S6
Hover over Friendly FromProbably the easiest way to identify if an email is legitimate or not, is to simply hover your mouse arrow over the name in the From column. By doing so, you will be able to tell if the email is from a recognizable domain that is linked to the actual sender name. For example, an email from Match.com should typically have the from domain of “match.com” (not "motch.com" or “humbletemper.com"). - See more at: http://blog.returnpath.com/blog/lauren-soares/10-tips-on-how-to-identify-a-phishing-or-spoofing-email#sthash.t4Qt8lAU.dpuf
http://blog.returnpath.com/blog/lauren-soares/10-tips-on-how-to-identify-a-phishing-or-spoofing-email
If you can easily identify the sending IP of that email, you can look up the IP’s reputation through Return Path’s Sender Score site. This tool will reveal a score (0-100) and will be able to give you some insight into the sending IPs historical performance. The lower the score, the more likely the email is a phishing or spoofing attempt. - See more at: http://blog.returnpath.com/blog/lauren-soares/10-tips-on-how-to-identify-a-phishing-or-spoofing-email#sthash.PkUzXPJ3.dpuf
https://www.senderscore.org/
With my GoDaddy account restored, I was able to regain access to my e-mail as well. I changed the e-mail address I use at several web services to an @gmail.com address. Using my Google Apps e-mail address with a custom domain feels nice, but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com e-mail address for my Facebook login, the attacker would not have been able to access my Facebook account.
If you are using your Google Apps e-mail address to log into various websites, I strongly suggest you stop doing so. Use an @gmail.com for logins. You can use the nicer custom domain e-mail for messaging purposes. I still do.
http://arstechnica.com/security/2014/01/how-i-lost-my-50000-twitter-username/
In addition, I also strongly suggest you use a longer TTL for the MX record, just in case. It was 1 hour TTL in my case, and that's why I didn't have enough time to keep receiving e-mails to the compromised domain after losing the DNS control. If it was a week-long TTL for example, I would have had a greater chance to recover the stolen accounts.
Using two-factor authentication is a must. It's probably what prevented the attacker from logging into my PayPal account, though this situation illustrates that even two-factor authentication doesn't help for everything.
Enabling Two-Step Authentication for Your GoDaddy Account
Two-Step Authentication adds another layer of security to your account by texting you a validation code to enter whenever you log in or make important account changes.
After enabling this feature, you must enter a validation code every time you log in or make important account changes. If you log in to your account frequently or have multiple users managing your account, we do not recommend enabling this feature.
NOTE: At this time, only U.S.-based numbers can receive validation codes. This means your account's address must be in the United States (Settings > Account Owner Information > Country/Region) and your account's language must be set to United States — English (Settings > Contact Preferences > Language).
To Enable Two-Step Authentication
Log in to your Account Manager.
Go to the Settings tab.
Click Account Security Settings on the left.
In the Two-Step Authentication section, click Set Up.
Complete the following fields, and then click Next.
Account password — Enter your account's password.
Mobile phone — Enter the mobile phone number where you want to receive your validation codes, e.g. 4805551122.
Carrier — Select your mobile phone's carrier.
A validation code is sent via text message to the mobile phone. Enter the Validation code you just received, and then clickFinish.
Sign in to your Google Account settings page by clicking on your name or picture in the upper right corner of the screen and then clicking Account.
Scroll down to the "Signing in" box.
Click 2-Step Verification. This will bring you to the 2-Step Verification settings page.
You will then see a step-by-step guide which will help you through the setup process.
Once you’re done, you’ll be taken to the 2-Step Verification settings page again. Be sure to review your settings and add backup phone numbers.
You’re done! Next time you sign in, you’ll receive an SMS with a verification code
Please follow these enrollment steps to avoid interruption of your Office 365 service: 1. Sign in to the Office 365 Portal at http://portal.microsoftonline.com. 2. Follow the instructions to set up your preferred multi-factor authentication method when signing into Office 365 using a web browser. 3. Create one app password for each device. 4. Enter the same app password in all applicable apps on that device e.g. Outlook, Mail client, Lync, Word, Powerpoint, Excel, CRM etc. 5. Update your Office client applications or other mobile applications to use an app password. You can visit http://aka.ms/mfasetup to create app passwords or change your MFA Setting. Please bookmark this.
Regardless if you are using a public or private cloud, you need to have a strong password. The best solution is to use a Password Manager like Last Pass or RoboForm. These products automatically create random complex passwords that are not your cat’s birthday.
14 Characters
Password Managers
RoboForm
LastPass
1Password
https://www.eff.org/privacybadger
60 Minutes: Data Brokers: http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/
Your public IP address is revealed to every web site you visit.
Revealing your public IP address is like posting your home address on a public web site.
A public IP address can be used to retrieve your physical address and information about your profile. WiFi hackers can use your IP address to download illegal materials potentially exposing you to law enforcement investigation.